You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

I was getting very peculiar spikes of CPU usage from the msmpeng.exe which is the Microsoft Security Essentials anti-virus and anti-spyware, but this would happen when I did not have an active scan running or scheduled. I scanned with malwarebytes anti-rookit(MBAR) and it flagged something. I also scanned with combo fix, regular malware bytes, malware bytes adwcleaner, rkill, hitman pro, roguekiller, and emisoft emergency kit. Combofix showed some abnormal behavior and gave a message. I'll attach the log for it. aside from MBAR nothing was flagged. After combofix ran I no longer saw the CPU Spikes, but I'm not sure whether the removal process was entirely completed nor what I was infected with. Here are my FRST logs:

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Synaptics SMBus TouchPad
Description: Synaptics SMBus TouchPad
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Synaptics
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (03/21/2018 12:08:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/21/2018 12:05:11 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Type with the following error:
Access is denied.

Error: (03/21/2018 12:05:10 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Type with the following error:
Access is denied.

Error: (03/21/2018 11:44:37 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/21/2018 11:43:29 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/21/2018 11:38:13 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/21/2018 11:37:58 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

CodeIntegrity:
===================================

Date: 2018-03-21 11:37:58.581
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-03-21 11:37:58.566
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time. Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.

I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies. Please do not use "code" or "quote" boxes. Thank you for your anticipated cooperation.

I will need some time to review your FRST logs. That could take a day or two, but I do hope to respond later today with an initial FRST "fixlist" script.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.

Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.

Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.

If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.

If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.

Logs can take a while to research, so please be patient.

Some issues just cannot be solved so you must be prepared for this.

Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.

Please print or copy and save the instructions.

Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues. Also you should be aware that some of the tools and scripts that will be used, will remove malware detected, without notice.

You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.

Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.

Please use only the tools you have been instructed to use.

If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."

There are no silly questions. Ask for clarification, if you have any questions or concerns.

Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!

Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.

Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.

I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.

Right click FRST64.exe, and select "Run as Administrator".

Press Fix button once and wait.

Please reboot the computer, if requested.

A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.

Please copy and paste the contents of the "fixlog.txt" file into your next reply.

Thank you for your post, for permission to address you by your first name, for the update that ComboFix has been uninstalled, and for copying and pasting the contents of the FRST "fixlog.txt" file.

We strongly recommend that users do not run ComboFix, unless under supervision and only when directed to do so. Please see this post for more information that explains the reasons for this position. Personally, I would never run ComboFix on a computer, unless every other option available to me had failed to remediate a malware infection, and that has never happened. Thankfully, the product is incompatible with Windows 8 and 10, since it is no longer being updated, thus sparing users of those versions of Windows from potentially damaging their computers by running it unsupervised.

How did you uninstall Combofix, exactly? The reason that I ask is that, unless uninstalled correctly, it will leave remnants behind and I will want a fresh copy of the "FRST.txt" log only to check for those remnants and eliminate them, if present.

Thank you for your post. That is the correct way to uninstall ComboFix. I would still like to see a fresh FRST scan log: only the "FRST.txt" scan. I don't need the "Addition.txt" scan log file. With ComboFix, I like to sure that it is entirely gone.

Your previous FRST scan log "FRST,txt" file was truncated at the "Drivers" section. Can you try to run it again and past the complete log? It should say, at the end:

==================== End of FRST.txt ============================

The "FRST.txt" log file for your computer should be about 600 lines long.

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.

Right click FRST64.exe, and select "Run as Administrator".

Press Fix button once and wait.

Please reboot the computer, if requested.

A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.

Please copy and paste the contents of the "fixlog.txt" file into your next reply.

Place a check mark in any additional drive you wish to scan then click OK.

Click Start.

ESET will then download updates and begin scanning your computer.

If no threats are found simply click Uninstall application on close and hit Finish.

If threats are found click List of found threats.

Click Export to text file.

Save the file on your Desktop as ESET.txt.

Click Back.

Check Uninstall application on close and Delete quarantined files.

Click Finish.

Close the ESET Online Scanner window.

Copy and paste the contents of ESET.txt into your reply, if any threats were detected. There will be no log, if no threats were detected.

Don't forget to re-enable your antivirus when finished!

.

I see that you have Malwarebytes installed. Please ensure that the settings are set as specified and follow the instructions listed below to run a scan and post the results.

Please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."

Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).

Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."

Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.

If an update of the definitions is available, it will be downloaded and installed before the scan commences.

When the scan is complete, make sure that all Threats are selected, and click Remove Selected.

Restart your computer when prompted to do so.

The Scan log is available through Reports (double-click the appropriate scan log) or you can just double-click the "Last Scan" entry on the Dashboard. Click "Export"., and then select "Copy to Clipboard". Next, please paste the contents of the log into your next reply.

.

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

The tool will start to update the database, please wait for it to complete the update.

Click on I Agree button.

Click on the Scan button.

AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.

After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).

The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.

A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

After the scan has finished ...

Uncheck any PUP and adware applications that you want to keep.

If you are unsure about one or more of the detected programs, then please copy and paste the scan log, with your questions, and I will provide you with advice about those files.
The Scan logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Do not follow the remaining "Clean" instructions until directed to do so by me, if you have any questions about one or more of the detections.
If you have no questions about any of the detections, then please proceed to the "Clean" steps below.

Then click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.

Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).

Please copy and paste the contents of that logfile into your next reply.

A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

I will be offline for the next few hours, until possibly tomorrow. Today is my weekly image backup day for my two computers. In this line of work, you see first-hand how easy it is to "lose" your computer, so I practice what I preach.

I am not facing any issues presently, but I do not understand why Malwarebytes Anti-Rookit detected a rogue process that it needed to end before it could launch nor why running combofix resolved the CPU spike and abnormal behavior by MSMPENG.EXE, the security essentials process. Before I ran combofix I would get CPU loads of 100% for about 3 seconds every time i loaded a webpage as well as periodically even when the browser was closed. As I didn't get any flags from the scans except the MBAR on startup I do not know the nature or depth of infection. Is it possible that you might elucidate these sticking points? If I had spyware on my machine for example I will need to purge my passwords and secure financial processing accounts.

Thank you for your post. There is no evidence of a keylogger or backdoor Trojan on your computer. The scans and anti-malware tools that we have run would have detected such a "beast," if it was inhabiting your computer.

As for what ComboFix did, or didn't, do, I can't address that. Personally, I avoid that program like the plague. You won't see many, if any, qualified malware removal specialists using that program these days. The program is not Windows 8/10 compatible, and it has not been updated in years, so with the new Windows updates to XP, Vista, and 7, you can't have any confidence that using it, won't "break" something, even in OS versions, with which it was compatible.

.

Please provide me with a fresh set of FRST logs. I would like to make a final reconnaisance of your computer and I also want to identify the anti-malware scanners and cleaners that we used, so that we can delete them in the next post.

If there are any anti-malware tools that you want to keep, please let me know, although it is always advisable to download the latest versions of those tools, since they are updated so frequently.

If you have Malwarebytes installed, I would suggest that you keep it. If you don't want to keep Malwarebytes installed on your computer, please go to this link to download the latest version of MB-Clean.exe and run it to remove all traces of Malwarebytes. Please let me know if you did uninstall Malwarebytes. Once you have run the MB-Clean.exe tool successfully, you can manually delete that file as well.